JP2020535530A - Resource processing methods, equipment, systems and computer readable media - Google Patents

Abstract

The present application provides a resource processing method, an apparatus, a system, and a computer-readable medium, the background server identifies according to the received resource processing instruction, determines the resource to be processed, and the resource to be processed is provided by the second cloud service. When the resource is included, the resource processing request is sent to the second interface, and the second interface initiates an authentication request to the authentication server to access the resource provided by the second cloud service according to the resource processing request. The authentication server authenticates the access to the resource provided by the second cloud service, and if the authentication is successful, the authentication pass message is returned to the second interface, and the second interface responds to the authentication pass message and processes the resource. The instruction is sent to the background server, and the background server processes the resource to be processed in response to the resource processing instruction from the second interface.

Description

This application was filed with the Chinese Patent Office on September 30, 2017, with an application number of 201710914860. Claim the priority of the Chinese patent application, which is X and whose application name is "resource processing method, device, system and computer readable medium", the entire contents of which are incorporated herein by reference.

The present application relates to the field of Internet technology, in particular to resource processing methods, devices, systems and computer readable media.

Currently, cloud service permission management is generally directed to scenarios where the client calls the cloud interface, and by defining the corresponding authorization policy, the user side has access to the resources provided by the cloud service. Is to complete the management of. Such an authority management method belongs to the pre-authorization method and is mainly used to solve the problem that the cloud service provider manages the user's authority.

In the prior art, a client can use an interface to initiate a processing request for a resource provided by cloud service A, and if the user using this client passes authentication, the background server will use this resource. Can be processed. However, if the background server needs to access the resources provided by the other two cloud services when processing the resources of cloud service A, the client must continue to initiate the two processing requests separately. And it is necessary to authenticate the user twice separately, and only if all the authentications are passed, the background server is allowed to access the resources provided by the other two cloud services. Will be done. In such a scenario, it is necessary to appropriately arrange the three calling logics on the user side, so that both the design complexity and the maintenance cost are relatively high. Further, since the client on the user side needs to start the request three times, the processing efficiency for the resource provided by the cloud service is lowered.

In view of this, the embodiments of the present application provide resource processing methods, devices, systems and computer readable media, reduce design complexity and maintenance costs to some extent, and process the resources provided by cloud services. Improve efficiency.

In one aspect, the embodiments of the present application provide a resource processing method applied to a system including an interface device, a background server, and an authentication server, in which the interface device corresponds to a first cloud service. A first interface to be used and a second interface corresponding to the second cloud service are arranged at least.
The background server acquires a resource processing instruction from the first interface, and
The background server identifies the resource according to the resource processing instruction and determines the resource to be processed.
When the resource to be processed includes the resource provided by the second cloud service, the background server sends a resource processing request to the second interface, and the second interface requests the resource processing. Therefore, initiating an authentication request to the authentication server for accessing the resource provided by the second cloud service, and
In response to the authentication request, the authentication server authenticates access to the resource provided by the second cloud service, and if the authentication is successful, returns an authentication pass message to the second interface.
The second interface sends a resource processing instruction to the background server in response to the authentication pass message.
The background server includes processing the resource to be processed in response to the resource processing instruction from the second interface.

In another aspect, the embodiments of the present application also provide a resource processing method applied to a system including an interface device, a background server, and an authentication server, in which the interface device is the first cloud. At least a first interface corresponding to the service and a second interface corresponding to the second cloud service are arranged, and the above method is executed by the background server.
It is to acquire the resource processing instruction from the first interface, and here, the resource processing instruction is transmitted by the first interface in response to the authentication pass message, and the authentication pass message is the authentication server. Is the authentication pass message when authenticating access to the resources provided by the first cloud service.
Identification is performed according to the resource processing instruction to determine the resource to be processed, and
When the resource to be processed includes the resource provided by the second cloud service, the resource processing request is transmitted to the second interface.
Processing the resource to be processed in response to the resource processing instruction from the second interface, wherein the resource processing instruction is transmitted by the second interface in response to the authentication pass message. This includes that the authentication pass message is an authentication pass message when the authentication server authenticates access to the resource provided by the second cloud service.
In another aspect, the embodiments of the present application also provide a resource processing method applied to a system including an interface device, a background server, and an authentication server, in which the interface device is the first cloud. At least a first interface corresponding to the service and a second interface corresponding to the second cloud service are arranged, and this method is executed by the authentication server.
Receiving an authentication request sent by a second interface to access a resource provided by the second cloud service, wherein the authentication request is made by the second interface by a background server. The resource to be processed that is transmitted after receiving the resource processing request to be transmitted and is identified by the background server according to the resource processing instruction from the first interface is a resource provided by the second cloud service. Is included and
In response to the authentication request, authenticating access to the resource provided by the second cloud service,
If the authentication is passed, the authentication pass message is returned to the second interface.

An embodiment of the present application also provides a resource processing system including an interface device, a background server, and an authentication server, and the interface device includes a first interface corresponding to a first cloud service and a second cloud service. At least the corresponding second interface is in place
The background server acquires the resource processing instruction from the first interface and obtains the resource processing instruction.
The background server also identifies the resource to be processed according to the resource processing instruction, and determines the resource to be processed.
When the resource to be processed includes the resource provided by the second cloud service, the background server also sends a resource processing request to the second interface.
The second interface initiates an authentication request to the authentication server for accessing the resource provided by the second cloud service in accordance with the resource processing request.
In response to the authentication request, the authentication server authenticates access to the resource provided by the second cloud service, and if the authentication is successful, returns an authentication pass message to the second interface.
The second interface responds to the authentication pass message and also sends a resource processing instruction to the background server.
The background server responds to the resource processing instruction from the second interface and also processes the resource to be processed.

An embodiment of the present application also provides a storage medium in which a computer program is stored, and the above resource processing method can be realized after the computer program is executed by a processor.

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required in the embodiments will be briefly described below. Obviously, the drawings in the following description are only a few examples of the present application, and for those skilled in the art, it is possible to obtain other drawings based on these drawings on the premise that no creative labor is performed. it can.

It is an illustration of the architecture of the system to which the technical solution provided by the examples of this application is applied. It is the schematic of the interaction flow of the resource processing method provided by the embodiment of this application. It is a schematic diagram of another interaction flow of the resource processing method provided by the embodiment of the present application. It is a schematic flowchart on the background server side of the resource processing method provided by the embodiment of this application. It is a schematic flowchart on the authentication server side of the resource processing method provided by the embodiment of this application. It is explanatory drawing of the flow of one Embodiment of the resource processing method provided by the Example of this application. It is an exemplary diagram of the interaction flow of the identity verification method between the interface and the authentication server provided by the embodiments of the present application. It is an exemplary diagram of the interaction flow of the identity verification method between the interface and the background server provided by the embodiments of the present application. It is a schematic structure diagram of the resource processing system provided by the Example of this application. It is a functional block diagram of the source processing apparatus in the background server provided by the Example of this application. It is another functional block diagram of the resource processing apparatus in the authentication server provided by the embodiment of this application. It is a hardware architecture diagram of the resource processing apparatus in the background server provided by the embodiment of the application. It is a hardware architecture diagram of the resource processing apparatus in the authentication server provided by the Example of this application.

In order to better understand the technical solutions of the present application, examples of the present application will be described in detail below with reference to the drawings.

In the process of processing resources provided by a specific cloud service in the conventional technology, when the background server needs to access the resources provided by other cloud services, the user side initiates the resource processing request separately. Implementations of the present application address issues such as the need and relatively high design complexity and maintenance costs and relatively low processing efficiency due to separate authentication. An example is when the background server needs to access the resources provided by the second cloud service in the process of providing the corresponding solution, i.e., processing the resources provided by the first cloud service, in the background. The server initiates a resource processing request to the second interface corresponding to this second cloud service, thereby authenticating the first cloud service to access the resources provided by the second cloud service. Triggered that the second interface starts for the authentication server, and if the authentication passes, the background server performs resource processing via the second interface corresponding to this second cloud service. Will be done.

Guided by this idea, the embodiments of the present application provide the following embodiments.

See FIG. 1, which is an exemplary diagram of the architecture of the system to which the technical solutions provided by the embodiments of the present application apply. As shown in FIG. 1, the system includes an interface device, a background server, an authentication server, and one or more cloud services.

As shown in FIG. 1, in this system, at least a first interface and a second interface are arranged in the interface device, and in FIG. 1, only the first interface and the second interface are illustrated as an example, and the interface device. There is no limit to the number of interfaces included in. Here, the first interface corresponds to the first cloud service, the second interface corresponds to the second cloud service, and each cloud service may have one or more corresponding interfaces. The embodiment of the above is not particularly limited to this. The interface corresponding to each cloud service processes a resource processing request for the resource provided by this cloud service, which is initiated by the user side or a background server. When each interface processes a received resource processing request, each interface in the interface device acts as an access layer and process controller, responsible for the processing flow of this request, linking the flow of each operation, while each. The server completes the corresponding operations and processes by interacting with the interface separately. In one particular embodiment, the interface according to the embodiment of the present application may be a cloud application programming interface (API).

To explain, cloud services provide dynamic, easily extensible, often virtualized resources over the Internet based on the addition, use, and delivery modes of Internet-related services. In one embodiment, the cloud service can be borne by the cloud server, and the cloud service provider exposes the cloud service through the cloud server. Here, the resources provided by the cloud service belong to the components of the cloud service. For example, the resources provided by the cloud service include, but are not limited to, cloud virtual hosts, content delivery networks (CDNs), virtual private networks, and the like. Here, only the resources provided by the cloud service will be described with an example, and the types and number of resources provided by the cloud service are not limited.

It should be explained that the cloud service provider is mainly responsible for publishing the cloud services that it can provide by the cloud server, and the vendor registers with the cloud service provider and uses the resources provided by the cloud service. It refers to the user who does, and corresponds to the user of the resource provided by the cloud service. A cloud service provider can also be a vendor at the same time, i.e. a user of another cloud service, and similarly, a vendor can be a cloud service provider at the same time, making a cloud service another. Provide to the user.

As shown in FIG. 1, the authentication server executes authentication in response to the authentication request transmitted by each interface, and returns the corresponding authentication result to the interface to which the authentication request is transmitted. The background server processes the resource in response to the resource processing instruction of the interface. For security and ease of rights management, the client does not directly manipulate and process the resources provided by the cloud service, but the background server does the manipulation and processing instead, and therefore back. The ground server is the actual executor of resource processing and is used to manipulate and process the resources provided by the cloud service. For example, operations on the resources provided by the cloud service may be cloud virtual host application, cloud virtual host modification, or clustering of several cloud virtual hosts. Those skilled in the art can understand that this is merely an example and does not limit the types of resources and operations.

Based on the system shown in FIG. 1, the embodiment of the present application submits a resource processing method, and refer to FIG. 2 which is a schematic diagram of an interaction flow of the resource processing method provided by the embodiment of the present application. As shown in FIG. 2, this method involves the following steps, i.e.
At 201, the background server acquires the resource processing instruction from the first interface.

At 202, the background server identifies the resource according to the resource processing instruction and determines the resource to be processed.

In 203, when the resource to be processed includes the resource provided by the second cloud service, the background server sends the resource processing request to the second interface, and the second interface authenticates according to the resource processing request. Initiate an authentication request to the server to access the resources provided by the second cloud service.

At 204, the authentication server authenticates access to the resource provided by the second cloud service in response to the authentication request, and if the authentication is successful, returns an authentication pass message to the second interface.

At 205, the second interface sends a resource processing instruction to the background server in response to the authentication pass message.

At 206, the background server processes the resource to be processed in response to the resource processing instruction from the second interface.

In one embodiment, as shown in FIG. 3, the following steps may be further included before step 201.

200a, the first interface responds to the resource processing request sent by the client and initiates an authentication request to the authentication server to access the resource provided by the first cloud service.

200b, the authentication server authenticates the access to the resource provided by the first cloud service in response to the authentication request for accessing the resource provided by the first cloud service, and if the authentication is passed, the authentication is performed. The pass message is returned to the first interface.

200c, the first interface sends a resource processing instruction to the background server in response to the authentication pass message.

Here, since step 200c overlaps with step 201 in FIG. 3, step 200c is not reflected in FIG.

For step 200a, the embodiments of the present application provide the following embodiments, i.e.
In one particular embodiment, the client can send a resource processing request to this first interface by calling the first interface corresponding to the first cloud service that needs to be processed, and this resource. For processing requests,
The user's signature information entered by the client when calling the first interface,
It includes information on resources provided by the first cloud service for which processing has been requested.

It can be understood that in the embodiments of the present application, a client or background server can call an interface to send relevant requests to the interface, and the two expressions have the same meaning.

Further, the first interface responds to the resource processing request sent by the client, and the user's signature information attached to the resource processing request, which is input when the client calls the first interface, and the processing request. Based on the information of the resource provided by the first cloud service, an authentication request for accessing the resource provided by the first cloud service is generated, and the following information, that is, the following information is generated in this authentication request. ,
The user's signature information entered by the client when calling the first interface,
Information on the resources provided by the first cloud service that was requested to be processed,
Information on the first interface and.

It should be explained that the information of the resource provided by the first cloud service requested to be processed includes the identification information of the resource provided by the first cloud service requested to be processed and the information to be executed by this resource. Includes the specific processing method requested to be. For example, the resource is a particular cloud virtual host provided by the first cloud service, and the particular processing method is to read some data from the cloud virtual host. Alternatively, for example, the resource is some specific cloud virtual host provided by the first cloud service, and the specific processing method is to cluster some cloud virtual hosts.

For step 200b, the embodiments of the present application provide the following embodiments, i.e.
In one embodiment, the authentication server responds to an authentication request sent by the first interface to access the resources provided by the first cloud service, and the processing attached to the authentication request requires processing. The user's signature information is generated based on the information of the resource provided by the first cloud service, the information of the first interface, and the information of the user stored locally. After that, the authentication server compares the user's signature information generated by itself with the user's signature information attached to this authentication request, and if the comparison result is the same for the two signature information, the authentication is performed. Judging that it passed, it is shown that the client has access authority to the resource provided by the first cloud service, the authentication server returns the authentication pass message to the first interface, and conversely, the comparison result. If the two signature information is not the same, it is determined that the authentication has failed, it means that the client does not have access to the resources provided by the first cloud service, and the authentication server sends an authentication failure message. Is returned to the first interface.

For step 200c, the embodiments of the present application provide the following embodiments, i.e.
In one embodiment, the first interface sends a resource processing instruction to the background server in response to the authentication pass message returned by the authentication server, whereby the background server is requested by the client. 1 Process the resources provided by the cloud service. Here, this resource processing instruction may be accompanied by information on the resource provided by the first cloud service for which processing was requested, whereby the background server is designated according to this information. Executes the specified process for the resource.

In another embodiment, the first interface responds to the authentication failure message returned by the authentication server and replies the authentication failure instruction to the client, which further presents the authentication failure to the user according to the authentication failure instruction. This time, the process of the client accessing the resources provided by the first cloud service ends.

For step 202, the embodiments of the present application provide the following embodiments, i.e.
In the embodiments of the present application, the following two embodiments are provided regarding when the background server initiates an authentication request via an interface, that is,
In the first embodiment, after receiving the resource processing instruction from the first interface, the background server can first identify the resource according to the resource processing instruction and determine the resource to be processed. If resources provided by other cloud services other than the resources provided by the first cloud service are also included, the resources provided by other cloud services are referred to the authentication server via the corresponding interface. If the authentication request can be started and the background server gets the authentication pass message corresponding to all resources, resource processing is performed.

That is, the background server can gain access to each resource before processing the resource.

In the second embodiment, after receiving the resource processing instruction from the first interface, the background server first processes the resource provided by the first cloud service and tries to process it in the processing process. If it is found that the resource does not belong to the first cloud service and belongs to the second cloud service, the background server authenticates the resources provided by the second cloud service through the corresponding interface. An authentication request can be initiated to the server, and if the background server receives an authentication pass message, it processes the resources provided by the second cloud service and then goes to the resources provided by the second cloud service. After the processing of is executed, the resources provided by the first cloud service can be continuously processed, or an authentication request to another cloud service can be started.

That is, if the background server detects that it needs to access a resource provided by another cloud service, it can gain access to this resource.

After the background server receives the resource processing instruction from the first interface, this first cloud is attached to the resource processing instruction according to the information of the resource provided by the first cloud service for which processing is requested. When processing a resource provided by a service, if this resource needs to respond to this process and access another resource, the background server will access the other resource returned by this resource. You can get the request you need, and based on this request, the background server can determine which resources to process.

For example, if the client requests to process the virtual private network provided by the first cloud service, the background server must read the specified data from the virtual private network, however, the virtual private network backs up. After responding to the ground server's data read request, I discovered that I needed to get the security group information for a cloud virtual host to complete the data read task, but I got the security group information for a cloud virtual host. In doing so, it may be related to cloud virtual hosts and security groups, so the virtual private network replies information about these two resources to the background server, which processes according to the replied information. It is determined that the target resource includes a cloud virtual host and a security group of this cloud virtual host.

Further, in one embodiment, the background server is preconfigured between the cloud service and the resource based on one or more resources contained in the resource to be processed after determining the resource to be processed. Acquire the cloud service corresponding to each resource in the resource to be processed according to the correspondence relationship. After that, the background server determines whether the acquired cloud service includes the second cloud service, that is, whether the cloud service other than the first cloud service is included. If the background server determines that the acquired cloud service includes the second cloud service, the background server includes the resources provided by the second cloud service in the resources to be processed, that is, It is determined that the resources to be processed include resources other than the resources provided by the first cloud service, and then step 203 is executed. On the contrary, when the background server determines that all the acquired cloud services are the first cloud services, the background server does not include the resources provided by the second cloud service in the resources to be processed. That is, it is determined that the resources to be processed include only the resources provided by the first cloud service.

In the embodiment of the present application, when the resource to be processed includes only the resource provided by the first cloud service, the background server keeps the resource to be processed until all the processing of the resource to be processed is completed. The processing can be continued and the processing result can be returned to the first interface, whereby the first interface returns the processing result to the client.

For step 203, the embodiments of the present application provide the following embodiments, i.e.
In one embodiment, if the background server determines that the resource to be processed includes the resource provided by the second cloud service, the background server sends a resource processing request to the second interface. The resource processing request is accompanied by signature information of the first cloud service and information of resources provided by the second cloud service included in the resource to be processed. Here, the signature information of the first cloud service may be arranged in advance on the background server, or may be temporarily generated by the background server as needed. , There is no particular limitation on this.

Further, the second interface initiates an authentication request to the authentication server for accessing the resource provided by the second cloud service according to the resource processing request sent by the background server. Here, the authentication request is accompanied by the signature information of the first cloud service, the information of the resource provided by the second cloud service included in the resource to be processed, and the information of the second interface. .. In one embodiment, the second interface extracts the information in it from the resource processing request, and then generates this authentication request and sends it to the authentication server based on the extracted information and its own information. Can be done.

In one particular embodiment, the background server can call the second interface via the internal network interface, taking into account the security between the background server and the second interface.

In the embodiment of the present application, the client initiates a resource processing request for the resource provided by the first cloud service, but in the process in which the background server processes the resource provided by the first cloud service, this resource is used. In response to this process, this resource needs to access a resource provided by another cloud service, which is referred to as a resource provided by the second cloud service in the embodiments of the present application, at which time the client Does not initiate a resource processing request for the resource provided by the second cloud service, but the background server instead initiates a resource processing request for the resource provided by the second cloud service. In this case, the user of the resource provided by the second cloud service corresponds to the first cloud service, so that the first cloud service is not a normal vendor (that is, a user, and the normal vendor is a user). Is a super vendor. The supervender has the interface corresponding to the cloud service provided by itself and the access right to the resource, and the other cloud service provider has the access right to the resource and the interface of the cloud service provided by himself / herself. And can also be granted by other cloud service providers, and resources provided by other cloud service providers and permissions to access the interface can also be granted by other cloud service providers, permission interworking between cloud services, And authority interworking between interfaces is realized. Based on this, when the background server initiates a resource processing request to the second interface, the signature information of the first cloud service is attached. Correspondingly, when the second interface initiates an authentication request to the authentication server, the signature information of the first cloud service is also attached, which initiates an access request to the resource provided by the second cloud service. Is what is used for. Correspondingly, the authentication server receives the signature information of the first cloud service, and based on the signature information of the first cloud service, the access authority to the resource provided by the second cloud service by the first cloud service. Authenticate.

For step 204, the embodiments of the present application provide the following embodiments, i.e.
In one embodiment, the authentication server responds to an authentication request sent by the second interface to access the resources provided by the second cloud service, and the processing attached to the authentication request requires processing. The user's signature information is generated based on the resource information provided by the second cloud service, the information of the second interface, and the information of the first cloud service stored locally. After that, the authentication server compares the user's signature information generated by itself with the user's signature information attached to this authentication request, and if the comparison result is the same for the two signature information, the authentication is performed. Judging that it passed, it is shown that the first cloud service has access authority to the resources provided by the second cloud service, and the authentication server returns the authentication pass message to the second interface, and vice versa. , If the comparison result is that the two signature information is not the same, it is judged that the authentication has failed, it means that the first cloud service does not have the access authority to the resource provided by the second cloud service, and the authentication The server returns an authentication failure message to the second interface.

In one particular embodiment, the authentication server can acquire the information of the first cloud service from the preset policy information of the first cloud service when generating the signature information, and the acquired first cloud service. The signature information of the first cloud service can be obtained based on the information of.

For example, the policy information of the first cloud service may be shown as shown in Table 1.

For example, as shown in Table 1, the approver is the second cloud service, that is, it is the resources provided by the second cloud service that are accessed. The accessible interface refers to an interface corresponding to the second cloud service that can be called by the first cloud service, and is, for example, a cloud API (X) and a cloud API (F) of the second cloud service. The cloud API (X) and the cloud API (F) may be all interfaces corresponding to the second cloud service, or may be some interfaces corresponding to the second cloud service. The processable resource refers to which resource the first cloud service can access provided by the second cloud service. The condition refers to what condition must be provided when the first cloud service accesses a specific resource provided by the second cloud service, for example, the processing time and the number of times of the resource. Is. Validity refers to whether the authorization for the interfaces that can be called and the resources that can be processed by the authorized person is valid, and if "validity" is "authorized", the authorized person is defined in the policy information. Invoking the interface and corresponding resource is currently allowed, and if "validity" is not "permitted", then the authorized person may call the interface and corresponding resource defined in the policy information. Currently not allowed.

It should be explained that if the first cloud service has access to the resources of the second cloud service, this is because the first cloud service was authorized at the pre-authorization stage of rights management, and it was authorized. After that, the authentication server can store the policy information of the first cloud service and use it for generating the signature information and executing the authentication. Conversely, if you do not have access, this means that the first cloud service is not authorized during the pre-authorization stage of rights management, or the authorized resources include the resources provided by the second cloud service. If it is not included, or if the authorized interface does not have an interface or the like used to send a resource processing request, and the signature information is generated in this way. , The policy information of the first cloud service stored in the authentication server and the received signature information of the first cloud service do not match, and the authentication cannot be passed.

In one embodiment, the interface whitelist may be pre-located on the authentication server. When the authentication server receives the authentication request sent by the second interface, it first determines whether the second interface belongs to the interface white list according to the information of the second interface attached to the second interface, and belongs to the second interface. If so, the authentication server can respond to the authentication request and perform the above authentication, and conversely, if it does not belong, the authentication server does not have to respond to the authentication request or the identity is legal. You may reply to the second interface with a notification message that it is not.

For step 205, the embodiments of the present application provide the following embodiments, i.e.
In one embodiment, the second interface sends a resource processing instruction to the background server in response to the authentication pass message returned by the authentication server, which causes the background server to request the second cloud. Handle the resources provided by the service. Here, this resource processing instruction may be accompanied by information on the resource provided by the second cloud service for which processing was requested, whereby the background server is designated according to this information. Executes the specified process for the resource.

In another embodiment, the second interface responds to the authentication failure message returned by the authentication server and replies the authentication failure instruction to the client, which further presents the authentication failure to the user according to the authentication failure instruction. This time, the process by which the first cloud service accesses the resources provided by the second cloud service ends.

For step 206, the embodiments of the present application provide the following embodiments, i.e.
In one embodiment, the background server processes the resource to be processed in response to the resource processing instruction from the second interface.

It should be explained that since the second interface corresponds to the second cloud service, the background server can process the resources provided by the second cloud service when receiving the resource processing instruction from the second interface. Therefore, in response to this resource processing instruction, the background server processes the resource provided by the second cloud service, and after completing the processing to the resource provided by the second cloud service, the first You can continue to process the resources provided by the cloud service.

The background server sends a resource processing request with the signature information of the first cloud service and the information of the resource provided by the second cloud service included in the resource to be processed to the second interface. About that, in one particular embodiment, the background server uses the first encryption key to encrypt the information attached to the resource processing request and attaches the encrypted information. The resource processing request can be sent to the second interface.

Correspondingly, the second interface is attached with the signature information of the first cloud service, the information of the resource provided by the second cloud service included in the resource to be processed, and the information of the second interface. Regarding initiating an authentication request to an authentication server, in one particular embodiment, the second interface uses the first decryption key to decrypt the information attached to the resource processing request. If successful, the second encryption key is used to encrypt the decrypted information, that is, the second encryption key is used to decrypt and decrypt the second interface information. The information is encrypted, and an authentication request with the encrypted information is sent to the authentication server.

As a matter of explanation, in the embodiment of the present application, the basic security of the interaction information between the background server and the interface corresponding to each cloud service is ensured through the encryption means and the decryption means. Can be done. A mutual trust mechanism is pre-established between the background server and each interface, and the encryption key and the corresponding decryption key can be determined by the mutual trust mechanism. In this way, each piece of information in the resource processing request sent by the background server to the second interface can be encrypted, and correspondingly, the second interface decrypts the information in the received resource processing request. If the decryption is successful, it means that a mutual trust mechanism has been established between the two and that the information has a certain level of security guarantee.

Correspondingly, with respect to the authentication server authenticating the Axus to the resources provided by the second cloud service according to each information attached to the authentication request, in one particular embodiment, the authentication server is the first. The 2 decryption key can be used to decrypt the information in the authentication request sent by the 2nd interface, and if the decryption is successful, the 2nd cloud service is based on the decrypted information. Authenticate access to the resources provided by.

As a matter of explanation, in the embodiment of the present application, the basic security of the interaction information between the interface corresponding to each cloud service and the authentication server is ensured through the encryption means and the decryption means. Can be done. A mutual trust mechanism is pre-established between each interface and the authentication server, and the encryption key and the corresponding decryption key can be determined by the mutual trust mechanism. In this way, the information transmitted by the second interface to the authentication server can be encrypted, and correspondingly, the authentication server decrypts the information in the received authentication request, and if the decryption is successful, both. It shows that a mutual trust mechanism has been established between the two, and that the information has a certain security guarantee.

Further, as to be explained, in steps 200a to 200c, the information exchange between the first interface and the authentication server involved and the information exchange between the first interface and the background server are described above. Trust mechanisms can also be used, and in the interaction process, cryptographic and decryption means can be used to ensure the security of the information, which is not mentioned here again.

Please refer to FIG. 4, which is a schematic flowchart on the background server side of the resource processing method provided by the embodiment of the present application. As shown in FIG. 4, this method involves the following steps, i.e.
At 401, the resource processing instruction from the first interface is acquired.

At 402, identification is performed according to the resource processing instruction, and the resource to be processed is determined.

For a particular embodiment of step 402, a related description of step 202 can be referenced and will not be mentioned again here.

In 403, when the resource to be processed includes the resource provided by the second cloud service, the resource processing request is transmitted to the second interface.

For a particular embodiment of step 403, a related description of step 203 can be referred to and is not mentioned again here.

At 404, the resource to be processed is processed in response to the resource processing instruction from the second interface.

For a particular embodiment of step 404, a related description of step 206 can be referred to and is not mentioned again here.

Please refer to FIG. 5, which is a schematic flowchart on the authentication server side of the resource processing method provided by the embodiment of the present application. As shown in FIG. 5, this method comprises the following steps, i.e.
At 501, it receives an authentication request sent by the second interface to access the resource provided by the second cloud service.

For a particular embodiment of step 501, the relevant description for step 204 can be referred to and will not be mentioned again here.

At 502, in response to the authentication request, access to the resource provided by the second cloud service is authenticated.

For a particular embodiment of step 502, a related description of step 204 can be referred to and is not mentioned again here.

If the authentication is passed in 503, the authentication pass message is returned to the second interface.

For a particular embodiment of step 503, the relevant description for step 204 can be referred to and will not be mentioned again here.

See FIG. 6, which is an exemplary flow of a flow of one embodiment of the resource processing method provided by the embodiments of the present application. In this embodiment, the cloud API (X) corresponding to the cloud service A and the cloud service A and the cloud API (Y) corresponding to the cloud service B and the cloud service B are provided as examples according to the embodiment of the present application. The resource processing method will be described with an example.

At 601 the client transmits a resource processing request with the user's signature information and the resource information provided by the cloud service A to the cloud API (X) corresponding to the cloud service A.

At 602, the cloud API (X) responds to the resource processing request sent by the client by combining the user's signature information, the resource information provided by the cloud service A, and the loud API (X) information. Send the attached authentication request to the authentication server.

At 603, the authentication server authenticates that the client accesses the resource provided by the cloud service A in response to the authentication request from the cloud API (X), and if the authentication is successful, step 604 is executed. , If the authentication fails, the authentication failure message is returned to the cloud API (X). As a matter to be explained, in this embodiment, an example of passing the certification will be described as an example. Therefore, FIG. 6 does not show the flow of authentication failure.

The authentication server generates user signature information according to the resource information provided by the cloud service A, the cloud API (X) information, and the locally stored user information attached to the authentication request. After that, the user's signature information generated by itself is compared with the user's signature information attached to the authentication request, and if the comparison result is that the two signature information are the same, the authentication is passed. If it is determined that the client has access to the resources provided by cloud service A and step 604 is performed and conversely the comparison results are not the same for the two signature information. It is determined that the authentication has failed, it is indicated that the client does not have access authority to the resources provided by the cloud service A, and the authentication server returns an authentication failure message to the cloud API (X).

At 604, the authentication server returns an authentication pass message to the cloud API (X).

At 605, the cloud API (X) responds to the authentication pass message returned by the authentication server and issues a resource processing instruction with information on the resource provided by the cloud service A for which processing is requested. Send to a background server.

In 606, when the background server responds to the resource processing instruction, identifies according to the resource processing instruction, determines the resource to be processed, and the resource to be processed includes the resource provided by the cloud service B. , The resource processing request with the signature information of the cloud service A and the information of the resource provided by the cloud service B is transmitted to the cloud API (Y) corresponding to the cloud service B.

At 607, the cloud API (Y) responds to the resource processing request from the background server with the signature information of the cloud service A, the resource information provided by the cloud service B, and the cloud API (Y) information. Send the authentication request marked with to the authentication server.

At 608, the authentication server authenticates that cloud service A accesses the resources provided by cloud service B in response to the authentication request from the cloud API (X), and if the authentication is successful, step 609 is performed. If it is executed and authentication fails, an authentication failure message is returned to the cloud API (Y). As a matter to be explained, in this embodiment, an example of passing the certification will be described as an example. Therefore, FIG. 6 does not show the flow of authentication failure.

The authentication server sets the cloud service according to the resource information provided by the cloud service B, the cloud API (Y) information, and the locally stored cloud service A authentication information attached to the authentication request. The signature information of A is generated, and then the signature information of cloud service A generated by itself is compared with the signature information of cloud service A attached to the authentication request, and the comparison result is two signature information. If they are the same, it is determined that the authentication has passed, it is indicated that cloud service A has access to the resources provided by cloud service B, and step 609 is performed, and vice versa. If the result is that the two signature information is not the same, it is determined that the authentication has failed, it means that the cloud service A does not have access authority to the resources provided by the cloud service B, and the authentication server fails the authentication. Reply the message to the cloud API (Y).

At 609, the authentication server returns an authentication pass message to the cloud API (Y).

At 610, the cloud API (Y) responds to the authentication pass message returned by the authentication server and issues a resource processing instruction with information on the resource provided by the cloud service B for which processing is requested. Send to a background server.

At 611, the background server processes the resource provided by cloud service A in response to the resource processing instruction, then processes the resource provided by cloud service B, and finally provides by cloud service A. Process the resources that are

Both between the above interface and the authentication server, and between the interface and the background server, it is necessary to establish a mutual trust mechanism in advance and determine the encryption key and decryption key by the mutual trust mechanism. There is. In the examples of the present application, a lightweight level mutual trust mechanism is adopted in order to consider that the interaction between the interface and the authentication server and the interaction between the interface and the background server both belong to the internal interaction. On the one hand, the performance of the service can be improved, and on the other hand, basic security can be ensured.

In the examples of the present application, the above mutual trust mechanism is established through the following aspects.
1. Identity verification to the interface by the authentication server 2. Identity verification to the authentication server by the interface 3. Identity verification to the interface by the background server 4. Identity verification to the background server by the interface

Here, identity verification relating to the interface may be implemented using a signature mechanism. A certificate is assigned to each interface and the cloud service corresponding to each interface, and the interface must add this certificate to the request when accessing the authentication server. It is used as interface information, such as interface information or second interface information, that is, this certificate is used as interface information to access the authentication server. As a whole, the certificate of each interface and the cloud service corresponding to each interface may be assigned offline by the certificate server. If this certificate is used in the resource handling method described above, the certificate can be encrypted and decrypted using a symmetric key, or encrypted and decrypted using an asymmetric key. It can also be converted.

For identity verification on background and authentication servers, the certificate must also be assigned offline by the certificate server, and when using this certificate with the above resource handling methods, it is encrypted using an asymmetric key and Decryption can be performed, or encryption and decryption can be performed using a symmetric key. The public key may be stored on the side accessing the server, the private key may be stored on the server itself, which can reduce the possibility of being attacked to some extent and also the interaction information. Security can also be ensured.

See FIG. 7, which is an example diagram of the interaction flow of the identity verification method between the interface and the authentication server provided by one embodiment of the present application. As shown in FIG. 7, this method involves the following steps, i.e.
At 701, the certificate server assigns the certificate Pub_CA (Pub_Out, Domain ...) and the public key to the authentication server, and the corresponding private key is preconfigured in the authentication server. Remember the assigned certificate and public key.

At 702, the certificate server may assign a certificate to an interface, which certificate may be configured with an interface identifier (API_ID) and a private key (API_Secret).

Steps 701 and 702 belong to the certificate offline allocation stage of the certificate server.

In the embodiments of the present application, the public and private keys involved in certificate assignment may be symmetric keys or asymmetric keys. You can decide whether to use symmetric or asymmetric keys according to different application scenarios. For example, symmetric keys can be used for service scenarios with high performance requirements and low security requirements, and asymmetric keys can be used for service scenarios with low performance requirements. Not particularly limited.

At 703, the interface sends a certificate acquisition request to the authentication server.

At 704, the authentication server responds to the certificate acquisition request by encrypting the certificate previously assigned by the certificate server with the public key and returning it to the interface via the certificate acquisition response.

At 705, the interface decrypts the received certificate using the private key previously provided by the certificate server, and if the decryption is successful, both the interface and the authentication server identity verification pass. , And step 706 is performed.

It should be explained here that if the interface successfully decrypts the certificate using the private key, this private key and the public key of the encrypted certificate will be decrypted with the matching encryption key. It was shown to be a pair of keys, so the identity of the authentication server was proved, the identity of the interface was also proved, and both identities passed.

At 706, an encryption key and a decryption key are negotiated between the interface and the authentication server, and after the negotiation, the interface owns the encryption key and the authentication server owns the decryption key. , This encryption key and decryption key can be used to encrypt and decrypt the information attached to the authentication request initiated by the interface, which ensures the security of the communication.

Steps 703-706 belong to the key negotiation stage between the interface and the authentication server. Steps 703-706 need to be performed before the interface interacts with the authentication server to complete the key negotiation. In this way, if both parties need to interact, the encryption and decryption keys can be used directly, thereby improving the efficiency of interaction between the interface and the authentication server and the execution performance of the interface. Improve. Also, steps 703-706 may be performed periodically, thus periodically key-negotiating between the interface and the authentication server to update the encryption and decryption keys. May be performed, which further enhances the security of information interaction.

As a matter of explanation, the above interface refers to an interface corresponding to a cloud service in an interface device such as a first interface or a second interface, that is, each interface in the interface device is described above. Based on the method, identity verification with the authentication server can be realized.

See FIG. 8, which is an exemplary diagram of the interaction flow of the identity verification method between the interface and the background server provided by the embodiments of the present application. As shown in FIG. 8, this method comprises the following steps, i.e.
At 801 the certificate server assigns the certificate Pub_CA1 (Pub_Out1, Domain ...) and the public key to the background server, and the corresponding private key is preconfigured on the background server in the background The server remembers the assigned certificate and public key.

At 802, the certificate server assigns a certificate to an interface, which certificate may be configured with an interface identifier (API_ID) and a private key (API_Secret).

Steps 801 and 802 belong to the certificate offline allocation stage of the certificate server.

At 803, the interface sends a certificate acquisition request to the background server.

At 804, the background server responds to the certificate acquisition request by encrypting the certificate previously assigned by the certificate server with the public key and returning it to the interface via the certificate acquisition response.

At 805, the interface decrypts the received certificate using the private key previously provided by the certificate server, and if the decryption is successful, both the interface and the background server identity verification pass. And then step 806 is performed.

It should be explained here that if the interface successfully decrypts the certificate using the private key, the private key and the public key of the encrypted certificate will be matched with the encryption key and decryption. It was shown to be a pair of cryptographic keys, so the background server identity was proven, the interface identity was also proven, and both identities passed.

At 806, an encryption key and a decryption key are negotiated between the interface and the background server, and after the negotiation, the interface owns the encryption key and the background server owns the decryption key. This encryption and decryption key can be used to encrypt and decrypt the information attached to the authentication request initiated by the interface, which ensures the security of the communication. To.

Steps 803 to 806 belong to the key negotiation stage between the interface and the background server. Steps 803 to 806 need to be performed before the interface interacts with the background server to complete the key negotiation. In this way, if both parties need to interact, the encryption and decryption keys can be used directly, which allows for efficiency of interaction between the interface and the background server and the execution performance of the interface. To improve. Steps 803 to 806 may also be performed on a regular basis, thus periodically keying between the interface and the background server to update the encryption and decryption keys. Negotiations may be performed, which further enhances the security of information interaction.

As a matter of explanation, the above interface refers to an interface corresponding to a cloud service in an interface device such as a first interface or a second interface, that is, each interface in the interface device is described above. Identity verification with a background server can be achieved based on the method.

The embodiments of the present application further provide examples of devices for realizing each step and method in the embodiments of the above methods.

See FIG. 9, which is a schematic structural diagram of the resource processing system provided by the embodiments of the present application. As shown in FIG. 9, this system includes an interface device 100, a background server 200, and an authentication server 300, and the interface device 100 includes a first interface 101 corresponding to a first cloud service and a first interface 101. At least the second interface 102 corresponding to the two cloud services is arranged,
The background server 200 acquires the resource processing instruction from the first interface 101, and receives the resource processing instruction.
The background server 200 also identifies the resource to be processed according to the resource processing instruction, and determines the resource to be processed.
When the resource to be processed includes the resource provided by the second cloud service, the background server 200 also transmits a resource processing request to the second interface 102.
The second interface 102 initiates an authentication request to the authentication server 300 for accessing the resource provided by the second cloud service in accordance with the resource processing request.
In response to the authentication request, the authentication server 300 authenticates access to the resource provided by the second cloud service, and if the authentication is successful, returns an authentication pass message to the second interface 102.
The second interface 102 also sends a resource processing instruction to the background server 200 in response to the authentication pass message.
The background server 200 also processes the resource to be processed in response to the resource processing instruction from the second interface.

Since each unit in this embodiment can execute the method shown in FIG. 2, the related description with respect to FIG. 2 can be referred to for the portion not explained in detail in this embodiment.

See FIG. 10, which is a functional block diagram of the resource processing apparatus provided by the embodiments of the present application. This resource processing device is applied to a system including an interface device, a background server, and an authentication server. In this system, the interface device corresponds to a first interface corresponding to a first cloud service and a second cloud service. The device is located on the background server and, as shown in FIG. 10, the device is located.
The receiving unit 201 that acquires the resource processing instruction from the first interface,
A resource identification unit 202 that identifies a resource to be processed according to the resource processing instruction, and
When the resource to be processed includes the resource provided by the second cloud service, the transmission unit 203 that transmits the resource processing request to the second interface and
The resource processing unit 204 that processes the resource to be processed in response to the resource processing instruction from the second interface is included.

The device further
According to the preset correspondence relationship between the cloud service and the resource, the cloud service corresponding to each resource in the resource to be processed is acquired, and does the acquired cloud service include the second cloud service? If it is determined whether or not the acquired cloud service includes the second cloud service, it is determined that the resource to be processed includes the resource provided by the second cloud service. The determination unit 205 is included.

See FIG. 11, which is another functional block diagram of the resource processing apparatus provided by the embodiments of the present application. This resource processing device is applied to a system including an interface device, a background server, and an authentication server. In this system, the interface device corresponds to a first interface corresponding to a first cloud service and a second cloud service. At least a second interface is arranged, the device is located on the authentication server, and as shown in FIG. 11, the device is
A receiving unit 301 that receives an authentication request for accessing the resource provided by the second cloud service transmitted by the second interface.
An authentication unit 302 that authenticates access to a resource provided by the second cloud service in response to the authentication request.
When the authentication is passed, the transmission unit 303 that returns the authentication pass message to the second interface is included.

See FIG. 12, which is a hardware architecture diagram of the resource processing apparatus provided by the embodiments of the present application. Resource processing equipment applies to systems including interface devices, background servers, and authentication servers. In this system, at least a first interface corresponding to the first cloud service and a second interface corresponding to the second cloud service are arranged in the interface device, and the device is located in the background server. .. As shown in FIG. 12, the device includes a processor and a memory, which stores instructions that the processor can execute, and when the instructions are executed, the processor, as shown in FIG. In addition, the resource processing method applied to the background server side is executed, and it is not mentioned again here.

See FIG. 13, which is a hardware architecture diagram of the resource processing apparatus provided by the embodiment of the present application. Resource processing equipment applies to systems including interface devices, background servers, and authentication servers. In this system, at least a first interface corresponding to the first cloud service and a second interface corresponding to the second cloud service are arranged in the interface device, and the device is located in the authentication server. As shown in FIG. 13, the device includes a processor and a memory, which stores instructions that the processor can execute, and when the instructions are executed, the processor, as shown in FIG. In addition, the resource processing method applied to the authentication server side is executed, and it is not mentioned again here.

The embodiments of the present application further provide a computer-readable medium containing computer-executable instructions, when the computer-executable instructions are executed.
Steps to get resource processing instructions from the first interface,
The step of identifying the resource according to the resource processing instruction and determining the resource to be processed, and
When the resource to be processed includes the resource provided by the second cloud service, the step of transmitting the resource processing request to the second interface and
In response to the resource processing instruction from the second interface, the step of processing the resource to be processed is executed.

The embodiments of the present application further provide a computer-readable medium containing computer-executable instructions, when the computer-executable instructions are executed.
A step of receiving an authentication request sent by the second cloud service to access the resource provided by the cloud service, and
In response to the authentication request, a step of authenticating access to the resource provided by the second cloud service, and
If the authentication is passed, the step of returning the authentication pass message to the second interface is executed.

The technical solution of the embodiments of the present application has the following beneficial effects, i.e.
In the embodiment of the present application, when the background server needs to access the resource provided by the second cloud service in the process of processing the resource provided by the first cloud service, the background server is referred to as the second cloud service. A resource processing request is started for the second interface corresponding to the cloud service, so that the second interface gives the authentication server the authentication for the first cloud service to access the resources provided by the second cloud service. On the other hand, if the start is triggered and the authentication is passed, the background server is triggered to execute the resource processing via the second interface corresponding to the second cloud service. Compared to traditional technology, when the process of processing resources requires access to resources provided by other cloud services, the background server instead refers to the interface for the other cloud services. It initiates a resource processing request, which triggers the authentication server to perform the authentication, which avoids deploying multiple call logics on the user side and provides the information for authentication on the user side. You don't even need to. Therefore, it reduces the design complexity and maintenance costs of the client on the user side, and the process of processing resources can identify that the background server needs access to the resources provided by other cloud services. Therefore, the background server can initiate the resource processing request directly, which avoids causing the client to initiate the resource processing request by interacting with the client, and thus resource processing efficiency. To improve.

On the other hand, a lightweight level of mutual trust mechanism has been added to the examples of the present application, allowing identity verification to be performed between the interface and the authentication server, and between the interface and the background server. In addition, a certain degree of security and traceability is ensured on the premise that the interface information is encrypted and processed based on the key negotiated after the identity verification to ensure the efficiency of the processing.

One of ordinary skill in the art should clearly understand that, for convenience and brevity of description, the corresponding processes in the embodiments of the above methods can be referred to for the specific working processes of the above systems, devices and units. Yes, I won't mention it again here.

Further, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may be physically separated, or two or more units may be integrated into one unit. May be done. The above-mentioned integrated unit may be realized in the form of hardware, or may be realized in the form of hardware plus a software functional unit.

The above integrated units, implemented in the form of software functional units, may be stored on a single computer-readable storage medium. The software functional unit described above is stored in one storage medium, and a computer device (such as a personal computer, server, or network device) or processor is a part of the method described in each embodiment of the present application. Includes several instructions to perform the steps in. The above-mentioned storage medium includes various media capable of storing a program code, for example, a U disk, a mobile hard disk, a read-only memory (ROM: Read-Only Memory), and a random access memory (RAM: Random Access Memory). , Magnetic disk or optical disk, etc.

100 Interface device 101 1st interface 102 2nd interface 200 Background server 300 Authentication server 300 Authentication request to access the resource provided by the 2nd cloud service Authentication server 301 Access the resource provided by the 2nd cloud service Receiving unit 302 that receives the authentication request for authentication 302 Authentication unit that authenticates access to the resource provided by the second cloud service 303 Sending unit that replies to the second interface

Claims (17)

A resource processing method applied to a system including an interface device, a background server, and an authentication server. In this system, the interface device includes a first interface corresponding to a first cloud service and a second cloud service. At least a second interface corresponding to the above method is provided.
The background server acquires a resource processing instruction from the first interface, and
The background server identifies the resource according to the resource processing instruction and determines the resource to be processed.
When the resource to be processed includes the resource provided by the second cloud service, the background server sends a resource processing request to the second interface, and the second interface requests the resource processing. Therefore, initiating an authentication request to the authentication server for accessing the resource provided by the second cloud service, and
In response to the authentication request, the authentication server authenticates access to the resource provided by the second cloud service, and if the authentication is successful, returns an authentication pass message to the second interface.
The second interface sends a resource processing instruction to the background server in response to the authentication pass message.
The background server includes processing the resource to be processed in response to the resource processing instruction from the second interface.
A method characterized by that. Before the background server gets the resource processing instruction from the first interface,
In response to the resource processing request sent by the client, the first interface initiates an authentication request to the authentication server to access the resource provided by the first cloud service.
When the authentication server authenticates access to the resource provided by the first cloud service in response to an authentication request for accessing the resource provided by the first cloud service and passes the authentication. Returning the authentication pass message to the first interface and
The first interface includes sending a resource processing instruction to the background server in response to an authentication pass message.
The method according to claim 1, wherein the method is characterized by the above. When the background server sends a resource processing request to the second interface, the signature information of the first cloud service and the information of the resource provided by the second cloud service included in the resource to be processed Including sending a resource processing request marked with to the second interface.
When the second interface initiates an authentication request to the authentication server for accessing the resource provided by the second cloud service in accordance with the resource processing request, the second interface causes the first cloud service. The authentication request with the signature information of the above, the information of the resource provided by the second cloud service included in the resource to be processed, and the information of the second interface is sent to the authentication server. Including starting
When the authentication server responds to the authentication request and authenticates access to the resource provided by the second cloud service, the authentication server can perform the first method according to each information attached to the authentication request. 2 Including authenticating access to resources provided by cloud services,
The method according to claim 1 or 2, wherein the method is characterized by the above. The background server makes a resource processing request to which the signature information of the first cloud service and the information of the resource provided by the second cloud service included in the resource to be processed are attached. To send to the interface, the background server uses the first encryption key to encrypt the information attached to the resource processing request, and the information obtained by encrypting the information is attached. Including sending a resource processing request to the second interface
The second interface is attached with the signature information of the first cloud service, the resource information provided by the second cloud service included in the resource to be processed, and the information of the second interface. Initiating the authentication request to the authentication server means that the second interface uses the first decryption key to decrypt the information attached to the resource processing request and succeeds in decryption. In the case, the second encryption key is used to encrypt the information obtained by decryption, and the authentication request with the information obtained by encryption is sent to the authentication server.
When the authentication server authenticates access to the resource provided by the second cloud service according to each information attached to the authentication request, the authentication server uses the second decryption key. , The information in the authentication request transmitted by the second interface is decrypted, and if the decryption is successful, the access to the resource provided by the second cloud service is authenticated based on the information obtained by the decryption. Including that
The method according to claim 3, wherein the method is characterized by the above. When the resource to be processed includes the resource provided by the second cloud service, the resource processing request is further added before being transmitted to the second interface.
Acquiring the cloud service corresponding to each resource in the resource to be processed according to the preset correspondence relationship between the cloud service and the resource, and
Determining whether the acquired cloud service includes the second cloud service,
When it is determined that the acquired cloud service includes the second cloud service, it is determined that the resource to be processed includes the resource provided by the second cloud service.
The method according to claim 1, wherein the method is characterized by the above. A resource processing method applied to a system including an interface device, a background server, and an authentication server. In this system, the interface device includes a first interface corresponding to a first cloud service and a second cloud service. There is at least a second interface corresponding to the above method, and this method is performed by the background server.
It is to acquire the resource processing instruction from the first interface, and here, the resource processing instruction is transmitted by the first interface in response to the authentication pass message, and the authentication pass message is the authentication server. Is the authentication pass message when authenticating access to the resources provided by the first cloud service.
Identification is performed according to the resource processing instruction to determine the resource to be processed, and
When the resource to be processed includes the resource provided by the second cloud service, the resource processing request is transmitted to the second interface.
Processing the resource to be processed in response to the resource processing instruction from the second interface, wherein the resource processing instruction is transmitted by the second interface in response to the authentication pass message. The authentication pass message is an authentication pass message when the authentication server authenticates access to the resource provided by the second cloud service.
A method characterized by that. When the resource to be processed includes the resource provided by the second cloud service, the resource processing request is further added before being transmitted to the second interface.
Acquiring the cloud service corresponding to each resource in the resource to be processed according to the preset correspondence relationship between the cloud service and the resource, and
Determining whether the acquired cloud service includes the second cloud service,
When it is determined that the acquired cloud service includes the second cloud service, it is determined that the resource to be processed includes the resource provided by the second cloud service.
The method according to claim 6, wherein the method is characterized by the above. Before sending the resource processing request to the second interface,
Generating the signature information of the first cloud service and
The resource processing request includes the signature information of the first cloud service and the information of the resource provided by the second cloud service included in the resource to be processed.
The method according to claim 6, wherein the method is characterized by the above. A resource processing method applied to a system including an interface device, a background server, and an authentication server. In this system, the interface device includes a first interface corresponding to a first cloud service and a second cloud service. A second interface corresponding to is at least arranged, and this method is performed by the authentication server, the method described above.
Receiving an authentication request sent by a second interface to access a resource provided by the second cloud service, wherein the authentication request is made by the second interface by a background server. The resource to be processed that is transmitted after receiving the transmitted resource processing request and is identified by the background server according to the resource processing instruction from the first interface is a resource provided by the second cloud service. Is included and
In response to the authentication request, authenticating access to the resource provided by the second cloud service,
If the authentication is passed, the authentication pass message is returned to the second interface, and the like is included.
A method characterized by that. The authentication request is accompanied by the signature information of the first cloud service, the resource information provided by the second cloud service included in the resource to be processed, and the information of the second interface.
To authenticate access to the resource provided by the second cloud service in response to the authentication request
The signature information of the first cloud service according to the information of the second interface, the resources provided by the second cloud service that need to be accessed, and the locally stored information of the first cloud service. To generate and
The signature information of the first cloud service received via the second interface is compared with the signature information of the first cloud service generated by itself, and if the two signature information are the same, the authentication is passed. Judging that it was done, including
9. The method of claim 9. Before receiving the authentication request sent by the second interface to access the resource provided by the second cloud service, further
Receiving an authentication request sent by the first interface to access the resource provided by the first cloud service, and
In response to the authentication request for accessing the resource provided by the first cloud service, the access to the resource provided by the first cloud service is authenticated, and if the authentication is passed, the authentication pass message is sent. Including replying to the first interface,
9. The method of claim 9. A resource processing system including an interface device, a background server, and an authentication server, wherein the interface device includes at least a first interface corresponding to a first cloud service and a second interface corresponding to a second cloud service. Placed,
The background server acquires the resource processing instruction from the first interface and obtains the resource processing instruction.
The background server also identifies the resource to be processed according to the resource processing instruction, and determines the resource to be processed.
When the resource to be processed includes the resource provided by the second cloud service, the background server also sends a resource processing request to the second interface.
The second interface initiates an authentication request to the authentication server for accessing the resource provided by the second cloud service in accordance with the resource processing request.
In response to the authentication request, the authentication server authenticates access to the resource provided by the second cloud service, and if the authentication is successful, returns an authentication pass message to the second interface.
The second interface responds to the authentication pass message and also sends a resource processing instruction to the background server.
The background server responds to the resource processing instruction from the second interface and also processes the resource to be processed.
A system characterized by that. Before the background server acquires the resource processing instruction from the first interface, the first interface accesses the resource provided by the first cloud service in response to the resource processing request sent by the client. Initiate an authentication request for the authentication server
When the authentication server authenticates access to the resource provided by the first cloud service in response to an authentication request for accessing the resource provided by the first cloud service and passes the authentication. Reply the authentication pass message to the first interface,
The first interface sends a resource processing instruction to the background server in response to the authentication pass message.
12. The system according to claim 12. The background server further requests a resource processing request to which the signature information of the first cloud service and the information of the resource provided to the second cloud service included in the resource to be processed are attached. Send to the second interface
The second interface is attached with the signature information of the first cloud service, the information of the resource provided by the second cloud service included in the resource to be processed, and the information of the second interface. Initiate an authentication request to the authentication server
In response to the authentication request, the authentication server authenticates access to the resource provided by the second cloud service according to each information attached to the authentication request.
The system according to claim 12 or 13. The background server further encrypts the information attached to the resource processing request by using the first encryption key, and makes a resource processing request including the encrypted information to the second interface. Send to
The second interface further decrypts the information attached to the resource processing request by using the first decryption key, and if the decryption is successful, decrypts by using the second encryption key. The obtained information is encrypted, and an authentication request with the encrypted information is sent to the authentication server.
The authentication server further decodes the information in the authentication request transmitted by the second interface by using the second decryption key, and if the decryption is successful, based on the information obtained by the decryption. Authenticate access to the resources provided by the second cloud service,
14. The system according to claim 14. The authentication server further follows the information of the second interface, the resources provided by the second cloud service that need to be accessed, and the locally stored information of the first cloud service. Generate the signature information of the first cloud service
The authentication server compares the signature information of the first cloud service received via the second interface with the signature information of the first cloud service generated by itself, and the two signature information are the same. If it is judged that the certification has passed,
14. The system according to claim 14. A storage medium in which a computer program is stored, wherein the resource processing method according to any one of claims 1 to 11 can be realized after the computer program is executed by a processor.

Images